It is currently Sun Nov 18, 2018 4:56 pm


All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Configure GRE over IPSec with iBGP/eBGP
PostPosted: Sat Aug 17, 2013 5:03 pm 
Offline

Joined: Sat Aug 17, 2013 4:46 pm
Posts: 1
Hello, I'm upgrading a router autoconfiguration program to support tunnels and I have some problems with configuring the GRE over IPSec tunnel over BGP protocol. The program automatically deploys iBGP,OSPF as internal protocols and eBGP as external. My sample test network looks like this:
Attachment:
File comment: Test network
Screenshot_1.jpg
Screenshot_1.jpg [ 14.97 KiB | Viewed 3807 times ]
. The 3 routers on the left belong to ASN 1 and the 3 on the right to ASN2. The routers in the middle (3 and 5) use eBGP to connect the ASNs.

The configuration files for the tunnel router 1 (and same for 6) is:

Code:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key VAULT address 1.0.0.11
!
!
crypto ipsec transform-set MYTRANS esp-aes esp-sha-hmac
!
crypto ipsec profile PROTECT
set transform-set MYTRANS
!
!
interface Loopback0
  description Loopback
  ip address 1.0.0.1 255.255.255.255   
!

interface f0/0
  description 1 to 3
  ip address 10.0.0.5 255.255.255.252   
  ip ospf cost 1
  duplex auto
  speed auto
  no shutdown
!

interface f1/0
  description 1 to 2
  ip address 10.0.0.1 255.255.255.252   
  ip ospf cost 1
  duplex auto
  speed auto
  no shutdown
!

interface tunnel16
  description tunnel to 6
  ip address 10.0.0.9 255.255.255.252
  tunnel source loopback 0
  tunnel destination 1.0.0.11
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile PROTECT
!
!               
router ospf 1
# Loopback
  network 1.0.0.1 0.0.0.0 area 0
  log-adjacency-changes
  passive-interface Loopback0
  network 10.0.0.4 0.0.0.3 area 0
  network 10.0.0.0 0.0.0.3 area 0
!               
!
router bgp 1   
  bgp router-id 1.0.0.1
  no synchronization
  network 1.0.0.1 mask 255.255.255.255
! ibgp
  ! ibgp peers
  !
  neighbor 1.0.0.2 remote-as 1
  neighbor 1.0.0.2 description iBGP peer 3
  neighbor 1.0.0.2 update-source Loopback0
  !
  neighbor 1.0.0.3 remote-as 1
  neighbor 1.0.0.3 description iBGP peer 2
  neighbor 1.0.0.3 update-source Loopback0


The routers in the middle use additional eBGP configurations:

Code:
interface Loopback0
  description Loopback
  ip address 1.0.0.2 255.255.255.255   
!
interface f0/0
  description 3 to 1
  ip address 10.0.0.6 255.255.255.252   
  ip ospf cost 1
  duplex auto
  speed auto
  no shutdown
!

interface f1/0
  description 3 to 2
  ip address 10.0.0.14 255.255.255.252   
  ip ospf cost 1
  duplex auto
  speed auto
  no shutdown
!

interface f2/0
  description 3 to 5
  ip address 10.0.128.1 255.255.255.252   
  duplex auto
  speed auto
  no shutdown
!
!               
router ospf 1
# Loopback
  network 1.0.0.2 0.0.0.0 area 0
  log-adjacency-changes
  passive-interface Loopback0
  network 10.0.0.4 0.0.0.3 area 0
  network 10.0.0.12 0.0.0.3 area 0
!               
!
router bgp 1   
  bgp router-id 1.0.0.2
  no synchronization
  network 1.0.0.2 mask 255.255.255.255
! ibgp
  ! ibgp peers
  !
  neighbor 1.0.0.1 remote-as 1
  neighbor 1.0.0.1 description iBGP peer 1
  neighbor 1.0.0.1 update-source Loopback0
  neighbor 1.0.0.1 next-hop-self
  !
  neighbor 1.0.0.3 remote-as 1
  neighbor 1.0.0.3 description iBGP peer 2
  neighbor 1.0.0.3 update-source Loopback0
  neighbor 1.0.0.3 next-hop-self
!
! ebgp
  !
  neighbor 10.0.128.2 remote-as 2
  neighbor 10.0.128.2 description eBGP to 5
  neighbor 10.0.128.2 send-community
  neighbor 10.0.128.2 next-hop-self


While I can ping from router 1 to the tunnel interface across (10.0.0.10), I cant ping from loopback to loopback although I can see them in the IP BGP tables. That means that if a router was attached to router 1 it cannot use the tunnel to deliver traffic to the other side of the tunnel. My question is: is there any way to configure the tunnel routers so that they can send any traffic across the tunnel using BGP? Please consider that the program works mostly with loopbacks (using a pool so all loopbacks are different) as it doesnt "know" any network routes when its executed, so it cant just ip route to a physical interface across because it doesnt know that interface. Thanks.




Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO